• m Linux pЉ|
    osGAзR firefox s
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    @ @ @
    @
    ̪sG2011/07/22
    qĤCت 7.1-1 ڭ̥iHo{Oӫʥ]niJDEeĤ@D}dAAOHLinux EH iHFPLkF쪺\঳ǡHण@kӤOȰwx@DEӤwOHALinux DnOzL Netfilter P TCP Wrappers EӺ޲zC䤤AzL Netfilter EAڭ̥iHFp IP DEW (IP ɾ\) AåB]^ Internet sڤp IP Ҭ[] Linux A (DNAT \)IuܤI o@عzӻA]u^nTI


    jADϥ9.1 {Ѩ

    wFHɪ`N}n骺|}HκWwqN~AA̦n^̾ڦۤvӭqwEI o˹AA|O@II򤰻OOHNOzLqw@ǦǪWhAúިiJڭ̺kDE (Ϊ̥iHOk) ƫʥ]@REIsqӻAun^RPLoiXڭ̺޲zkʥ]ơA NiH٬C

    SiHw騾PEn騾Cw騾OѼtγ]pnDEwA ow騾@~tDnHѫʥ]ƪLoEDAñNLn\ளC]x§@\ӤwA ]ʥ]LoIJvΡCܩn騾OHNOڭ̳oӏظ`nӽA[I n騾NObO@tw@Mn(κ٬E)AҦp Netfilter P TCP Wrappers iH٬n騾C

    LAAϥNOΨӫO@ڭ̺wNNNTIڭ̳oӏظ`Dnb Linux tѪn騾\ANO Netfilter Cܩ TCP Wrappers MbgĤQKػ{ѨtA̭͹LFAڭ̳oR|yL̔xTI



    pADϥ9.1.1 }leӭӴƶ

    ѩ󥻏إDnتb Netfilter oRʥ]LoEA]̭\hʥ]PTتynD`MEA ]Aky, IP kg覡ΡAݦ@w~CШĤG[j@U MAC, IP, ICMP, TCP, UDP Ϋʥ]Yƪ{ѡAH Network/Netmask k (CIDR) gkΡC

    t~AM Netfilter EiHzL iptables O覡ӶiWhƧǻPקALmijAQ shell script ӼgݩAۤvEnA]WhƧǻPJ㦳n[ԎʡA iHAWhM@ICҥHbA}lAUƤeAƱAiH\ŪL}ƤFG


    pADϥ9.1.2 ݭn

    JNRĤCت 7.1-1 iHo{A ʥ]iJEɡA|qLBAn{ǡBSELinuxPɮרtΡCҥH򥻤WApGAt (1)wg}ݭnӥBMIAȡF (2)wgNӨtҦn鳣Ob̷sAF (3)v]wSBwɶiQu@F (4)wg|ϥΪ̨㦳}nBtާ@ߺDC AtڤWwgwFInn[]HNoI

    LAܳ@ɬOܽzA Linux DE]O@̔xFAw@ѧAbiYӳn骺ɡA DEMNŰʤF@ӺAȡApGASިMAȪϥνdAMAȴNΩҦ Internet }A NꐷФFI]MAȥiiH\HnJAtAOMIH

    ҥHoA@OH̤j\NODUAyYǪAȪsӷzI |ҨӻG (1)AiHɮ׶ljKA (FTP) ublkDE~^ϥΡAӤ Internet }F (2)AiH Linux DEȥiH^Ȥݪ WWW nDALAȳ}F (3)ARiHDEȯDʹ~suCϹLӻAYΤݹڭ̥DEoeDʳsuʥ]A (TCP ʥ] SYN flag) NH׆ΆΡCoǴNO̥Dn\FI

    ҥHm{A̭nȴNObWُXG

    • γQH(plk)PQH(p Internet)qF
    • ُXi Internet AȻPO@AȡF
    • RXi^Pi^ʥ]AF

    SMTA Linux iptables nRiHiN`J NAT (Network Address Translation) ]wAöiuʪ IP ʥ]U\ALAx@DEӻA ̔xROWTNOFIҥHAAݤݭnOHzAWASMݭnI ӥBAnDyAtǸƻPAȻݭnO@zAwݭnO@AȨӳ]wWhaI Uڭ̥ӽͤ@͡Ab Linux WY`ǡH


    pADϥ9.1.3 Linux tWDnO

    򥻤WA̾ڨ޲zdAڭ̥iHNϤkPx@DEޡCbx@DEޤ譱A Dnʥ]Lo Netfilter P̾ڪAȳn{@R TCP Wrappers RCYHkӨA ѩOS@ѾA]Dnhʥ]Lo Netfilter PQΥNzA (proxy server) isNz覡FC


    • Netfilter (ʥ]LoE)

      ҿתʥ]LoAYORiJDEʥ]ANʥ]YƮXӶiRAHMwMsuΩתEC ѩoR覡iH^Rʥ]YơAҥH]Aw}(MAC), n} (IP), TCP, UDP, ICMP Ϋʥ]TiHiLoR\A]γ~D`sxC(DnRO OSI Chw 2, 3, 4 hT)

      b Linux Wڭ̨ϥή֤ߤت Netfilter oEA Netfilter ѤF iptables oӳnӧ@ʥ]LoOCѩ Netfilter O֤ߤت\A]LIJvD`@I D`AX@p쪺]wOINetfilter QΤ@ǫʥ]LoWh]wAөwqXƥiH^A ƻݭnAHFO@DEتI


    • TCP Wrappers ({)

      t@R׫ʥ]iJkAzLA{~ (tcpd) ӳBmIPʥ]LoPOA oREDnORֹY{isAMzLWhhRMA{֯^suB֤suC ѩDnOzLRA{ӱޡA]PŰʪfL}AuP{W٦}C |ҨӻAڭ̪D FTP iHŰʦbDW port 21 ioASAzL Linux ت TCP wrappers FTP ɡA AunD FTP nW (vsftpd) AML@Ah FTP ŰʦbӰfA|QMWh޲zC


    • Proxy (NzA)

      NzAO@RAȡAiHyNzzϥΪ̪ݨDAӥNeAo}ơCNI^UoӹϥܧaG

      Proxy Server B@z̔
      9.1-1BProxy Server B@z̔

      HWϬҡAS Client ݷQne Internet o Google ƮɡALoƪy{Oo˪G

      1. client |V proxy server nDơA proxy DBzF
      2. proxy iHRϥΪ̪ IP ӷO_XkHϥΪ̷Qnh Google AO_XkH pGo client nDXkܡA proxy N|DʪD client e Google oơF
      3. Google Ҧ^ǪƬOǵ proxy server AҥH Google AWݨ쪺O proxy server IP oF
      4. ̫ proxy N Google ^Ǫưe clientC

      oAFܡHShA client èS^sW Internet AҥHbu(BJ 1, 4)un Proxy P Client iHsuNiHFI client Ʀܤݭn֦ public IP ISHQn@ client ݪDEɡA DL^} Proxy server A_hOLkP client suTI

      t~A@ proxy DEq`ȶ} port 80, 21, 20 WWW P FTP fӤwAӥBq` Proxy N[]bѾWA]iH㪺xk~suIA LAN ܪw[I ѩ@pܤַ|ΨNzAA]ѨèSͨ proxy server ]wAêܥiHѦҤ@UĤQC squid (1) oӳn骺x google @UaI


    pADϥ9.1.4 @GuܷN

    ѫeSAARMiHA@ơANOFiHyO@EҦbDEz~ARiHyO@᭱DEzC]NOAFiHQEQJI~A LRiH[]bѾW]H޶iXaݺkʥ]C oRWُ󤺈pkw]@w{תO@@ΩOIUڭ̵yLͤ@ͥثe`PGutmaG


    • x@kAȦ@ӸѾG

      FiH@ Linux E򥻨@~ALRiH[]bѾWHޱӰkʥ]iXC ]AboWYq`ܤֻݭnӤANiHPiH Internet }A ҥHiHO]wWhTI̔xpPUC 9.1-2 ҥܡC

      b 9.1-2 Aѩ󨾤O]wbҦʥ]|gLѾWYA ]oӨiHܻNxkҦʥ]A ӥBAun޲zoDEANiHܻNӦ Internet }ʥ]ױoC un޲z@DEN^y־㪺 LAN ̭ PCAܦE⪺TC

      pGAQnNkުY檺ܡAAƦܥiHbo Linux W[]Y檺NzAA ΤݶȯsWAҶ} WWW AӤwAӥBRiHzLNzAnɤR\A TdXӨӨϥΪ̦bYӮɶIgsW WWW AAA@@IF`aI pGboӨWA[U MRTG yqʱnARwӺkyqiʴCo˰tmuIOG

      • ]~kwg}AҥHw@biH}vjI
      • wE]wiHw Linux DEӺ@YiI
      • ~uݪ Linux DEAҥH󤺈iHF즳Īw@I

      x@kAȦ@ӸѾ
      9.1-2Bx@kAȦ@ӸѾܷN


    • ]twʧ@lAݤ}lG

      @ӻAڭ̪ LAN Q|]wYA]Oڭ̦ۤv LAN IҥHOHk@oILA̱`o쪺JIk]Oϥγo˪@ӫH|}I ]AOҩҦϥΥ~qϥΪ̳OquA]LkOҧAu|yd}aIz hɭԬOѩYǥ~ӳXȧQβʦUm (۰Oq) s^줽qLuӥ[HѨ~nTC

      IҥHApGASOnݭnwO@AN LAN ̭A[]@ӨANwίŤAN|AnoΪO@IӬ[cI^UϩҥܡC

      ]tݭnwl
      9.1-3B]tݭnwl


    • b᭱[]ADE

      R@R󦳌ê]wANONѺAȪAb᭱AonBOH pUϩҥܡAWeb, Mail P FTP OzLs Internet WhAҥHA Uo|DEb Internet W Public IP O@˪I(o[ڭ̷|bةU NAT AɭԦAj)C uOzLʥ]RAN WWW nDʥ]茰e Web DEAN Mail e Mail Server hBzӤw(zL port P茻)C

      nFA]|DEb Internet Wݨ쪺 IP ۦPAOWoO|PDEA S@̷QnJIA FTP DEnFALϥΦURRkhi𪺥DEAOyz@A @̷Qn@ADEADL^\dwAA_hNJIADEOI

      ӥBAѩDEmbApGoͪp (ҦpYǨϥΪ̤}ާ@fPr[B Qu{fPDEQj[[ΆΪ) AO|vTA`B@C oR覡AΦbj~SA]oǥ~ӻADE_ѥ`TwAȬOܭnI

      LAoR[cUҶi檺]wNo]t port 茻AӥBnܱj޿yA iHjMʥ]UVqɪyʤ覡CsӻA]wW@wסA mӤHӫijso򰵡AROΥHᦳgAӪoR[caI

      []bݪAܷN
      9.1-4B[]bݪAܷN

      q`^WϪ줤ANAWߩmbӨAڭ̺٤Dxưk (DMZ)C DMZ تNpPe쪺AIbO@AAҥHN Internet P LAN jm}ӡAp@ӤAOAAΪ̬O LAN Q𳴮ɡAt@Ӱ϶ROnLʪI


    pADϥ9.1.5 ϥέ

    qeRAڭ̤wgDLʥ]oDnbR OSI ChwS 2, 3, 4 hAJMpܡA Linux Netfilter E쩳iHǤƱOHiHi檺Ru@DnG

    • ʎ Internet ʥ]iJDEYǰf
      oRMAaIҦpA port 21 o FTP }fAYuQn}񵹤ܡAS Internet Ӫʥ]QniJA port 21 ɡANiHNMƫʥ]ᱼI]ڭ̥iHRMʥ]YfXrI

    • ʎYǨӷ IP ʥ]iJ
      ҦpAwgo{Y IP DnOӦۧ@欰DEAunӦM IP ƫʥ]ANNLIoˤ]iHF䪺wI

    • ʎaYǯSXA (flag) ʥ]iJ
      ̱`ʎNOa SYN DʳsuXAFIun@go{AKKIANiHNMʥ]rI

    • Rw} (MAC) ӨMwsuP_
      pGAk̭oJOS㦳@j\O@ɡApGAϥ IP өץLϥκvAӥLooϥ@ IP NnFAbP@ӺkI PRObd}aHS}YAڭ̥iHLdw}[I] MAC OZbdWAҥHAunRMϥΪ̩ҨϥΪ MAC AiHQΨNM MAC AIDL^@ALdӨos MACA_h IP OSΪTI

    M Netfilter wgiHohƱALAROܦhƱSkzL Netfilter ӧI H]wRw[ISMTIֻ]wFAtN@wwH MiHw諸ʥ]iJڭ̪SALAYDZpUALäOҧڭ̪@wNܦwC |XӨҤlӽͤ@͡G

    • äܦĪׯfrΤ}{
      ]Awg}F WWW AȡAA WWW DEWA@wonN WWW AȪ port } Client ݵnJ~aI_hA WWW DE]wFΩSιaI]NOAuniJADEʥ]OnD WWW ƪANiHqLACnFAyU@A WWW An馳|}AΪ̥VAnD WWW AȪMʥ]NOfrbAtzɡAAiO@Ik]S[I ]ӳ]wWhNO|LqL[C

    • Ӧۤ LAN @LӨO
      @ӻAڭ̹ LAN ̭DES򨾤]wA]Oڭ̦ۤv LAN [AҥHSMN]wHkFILA LAN ̭`Oi঳ǺpՔ[AML̤OGNnd}aA OL̴NOIҥHNåκFCoӮɭԴNV|A]󤺈Wh]wq`֡A ҥHNeyu~ΩΉΪpC

    ҥHTARO^ĤCت 7.1-1 hݬݡAR@UMϥܡAAN|DAbA Linux DEaWeAROoG

    • }XӤwAȡF
    • ɯŴXӥi঳DMF
    • []n̰_Xw@----

    L}TROШĤCػ{Ѻw̭hݤ@ݫW[ۨwaI


    jADϥ9.2 TCP Wrappers

    biJDDeAڭ̥Ӫ@̔xEANO TCP Wrappers oNCpPeA TCP wrappers OzLΤݷQns{ɦWAMRΤݪ IP AݬݬO_ݭnCǵ{䴩 TCP wrappers \Ho TCP wrappers SMp]wHڭ̳o̥̔xͽͧaI(oӤp`ȬO̔xL TCP wrappers Ah}\аѦҰ߽gĤQKeI)



    pADϥ9.2.1 ǪAȦ䴩

    FA TCP wrappers NOzL /etc/hosts.allow, /etc/hosts.deny o_JӺ޲z@EA ëDҦn鳣iHzLoɮרӱޡAuUn~^zLoɮרӺ޲zWhAOOG

    • super daemon (xinetd) Һ޲zAȡF
    • 䴩 libwrap.so œAȡC

    g xinetd ޲zARnzANO]wɦb /etc/xinetd.d/ ̭AȴNO xinetd Һ޲z[I 򤰻O䴩 libwrap.so œOHNڭ̨Ӷi橳UDAANeoG

    DG
    ЬdXAtSwU xinetd AYSЦwUCwUܫAЬd xinetd ޲zAȦǡH
    G
    [root@www ~]# yum install xinetd
    Setting up Install Process
    Package 2:xinetd-2.3.14-29.el6.x86_64 already installed and latest version
    Nothing to do
    # eܡAwgO̷s xinetd IҥHAwgwUoI
    # ^UӧX xinetd Һ޲zAȸsI
    
    [root@www ~]# chkconfig xinetd on   <==n xinetd on ~ݨ쩳U
    [root@www ~]# chkconfig --list
    ....(eٲ)....
    xinetd based services:
            chargen-dgram:  off
            chargen-stream: off
    ....(ٲ)....
            rsync:          off   <==U@p`dҴNγoNӶ
            tcpmux-server:  off
            telnet:         on
    
    WzG̜KXNO xinetd Һ޲zAȸsoIWzAȤ̔]wAiHzL TCP wrappers Ӻ޲zPI

    DG
    аݡA rsyslogd, sshd, xinetd, httpd (YMAȤsbAЦۦwUn)Ao|ӵ{S䴩 tcp wrappers ץ\H
    G
    ѩ䴩 tcp wrappers Aȥw]t libwrap o@ӰʺA禡wA]iHϥ ldd [ԎMAȧYiC ̔xϥΤ覡G
    [root@www ~]# ldd $(which rsyslogd sshd xinetd httpd)
    # oӤ覡iHNҦʺA禡wXӬd\ALݭnjMC
    # iHzLU覡ӳBz֡I
    
    [root@www ~]# for name in rsyslogd sshd xinetd httpd; do echo $name; \
    > ldd $(which $name) | grep libwrap; done
    rsyslogd
    sshd
            libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fb41d3c9000)
    xinetd
            libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f6314821000)
    httpd
    
    WzGAbMɦWɤUX{ libwrap ANM禡wA~䴩 tcp wrappersC ҥHA sshd, xinetd 䴩AO rsyslogd, httpd o{h䴩C]NOA httpd P rsyslogd ^ϥ /etc/hosts.{allow|deny} Ӷi樾EޡC


    pADϥ9.2.2 /etc/hosts.{allow|deny} ]w覡

    pzLoɮרөצD IP ӷOHoɮתyk@ˡA̔xG

    <service(program_name)> : <IP, domain, hostname> 
    <A   (Y{W)> : <IP ΠZk ΥDEW>
    # WY > < Osb]wɤI
    

    ڭ̪DWhOǪAoɮ׻PWhuO˩OH򥻤WOo˪G

    • H /etc/hosts.allow uAMWhŦXNHF
    • AH /etc/hosts.deny AWhŦXNHסF
    • YboɮפAYWhŦXA̜hHC

    ڭ̮ rsync o xinetd ޲zAȨӶi满nFAаѦҩUDaG

    DG
    }E 127.0.0.1 iHiEAȡAMAϺ (192.168.1.0/24) iHϥ rsync A P 10.0.0.100 ]^ϥ rsync ALӷh\ϥ rsync C
    G
    ڭ̱onD rsync AȎŰʪɦWA] tcp wrappers OzLŰʪAȪɦWӺ޲zC Sڭ[Ԏ rsync ]wɮɡAiHo{G
    [root@www ~]# cat /etc/xinetd.d/rsync
    service rsync
    {
            disable = yes
            flags           = IPv6
            socket_type     = stream
            wait            = no
            user            = root
            server          = /usr/bin/rsync   <==ɦWs rsync
            server_args     = --daemon
            log_on_failure  += USERID
    }
    
    ]{쪺حngO rsync I]AڭRMno˳]wG
    [root@www ~]# vim /etc/hosts.allow
    ALL: 127.0.0.1    <==oNOEAȳ^I
    rsync: 192.168.1.0/255.255.255.0 10.0.0.100
    
    [root@www ~]# vim /etc/hosts.deny
    rsync: ALL
    

    WDXӭIAA tcp wrappers zAW䴩 192.168.1.0/24 oRzL bit ӋȨөwqkA u䴩 netmask }ܤ覡Ct~ApGhӺkΪ̬Ox@ӷAiHzLŮӂ}[C pGQnghOH]iH[IhgXy kshd: IP z覡]iHAnNҦƗb@TI] tcp wrappers ]O@@WhI

    򥻤WAAunzoǸƧYiI]ʎjɨAڭ̳|ijϥΩU Netfilter Eө׫ʥ]C ڭ̷ǷQ}lӪ iptables ʥ]LoaI


    jADϥ9.3 Linux ʥ]LonGiptables

    WͤFohADnROƱAA쨾OoijDIӥB]ƱADëDU઺C nFA򩳤Uڭ̜iH@@@Aثeڭ̪ 2.6 o Linux ֤ߨ쩳ϥΤ֤ߥ\Ӷi樾]wH



    pADϥ9.3.1 P Linux ֤ߪn

    Linux \onHoO]LNO Linux ֤ߩҴѡAѩ^gL֤ߨӳBzA]įD`nI LAP֤ߪҨϥΪnO@˪I]֤ߤ䴩OvtiӨӪI

    • Version 2.0Gϥ ipfwadm oӨEF
    • Version 2.2GϥΪO ipchains oӨEF
    • Version 2.4 P 2.6 GDnOϥ iptables oӨEALbYǦ Version 2.4 distributions SAPɤ䴩 ipchains (sœ)AnϥΪ̤MiHϥΨӦ 2.2 ipchains WُCLAijb 2.4 HW֤ߪϥ ipchains I

    ]P֤ߨϥΪEPAB䴩nOPyk]ۦPAҥHb Linux WY]wݩAۤvWhɡAn`N[A uname -r l}@UA֤ߪAIpGAOwU 2004 ~HX distributions ANݭnߤFA]o distributions XGϥ kernel 2.6 ֤ߔ[I ^_^


    pADϥ9.3.2 ʥ]iJy{GWhǪnʡI

    eXӤp`̭ڭ̤@ͨGyWhzAxIOWh[H] iptables OQΫʥ]LoEA ҥHL|Rʥ]YơCھڪYƻPwqyWhzӨMwMʥ]O_iHiJDEΪ̬OQC NNOGyھګʥ]R "" AwwqWheA Yʥ]ƻPWheۦPhiʧ@A_hN~U@WhIz IbӡyPRǡzWC

    |̔xҤlA]ڹwwq 10 WhnFAS Internet ӤF@ӫʥ]QniJڪDEA 򨾤OpRoӫʥ]OHڭ̥HUϥܨӻnFG

    ʥ]LoWhʧ@ΤRy{
    9.3-1Bʥ]LoWhʧ@ΤRy{

    S@Ӻʥ]niJDEeA|g NetFilter iˬdANO iptables WhFC ˬdqLh^ (ACCEPT) iJEo귽ApGˬdqLAhiऩH (DROP) I WϤDnتbiAGyWhOǪzIҦpSʥ]iJ Rule 1 ɡA pGGŦX Rule 1 AɳoӺʥ]N|i Action 1 ʧ@AӤ|z| Rule 2, Rule 3.... γWhRFC

    ӦpGoӫʥ]äŦX Rule 1 AN|iJ Rule 2 FIp@Ӥ@ӳWhhiNOFC pGҦWhŦXHɴN|zLw]ʧ@ (ʥ]F, Policy) ӨMwoӫʥ]hVC ҥHTASAWhDZƦCh~ɡAN|ͫYh~FC 򻡩OHڭ̬ݬݩUoӨҤlG

    ]A Linux DEѤF WWW AȡA۵MNnw port 80 ӎťγqLʥ]WhAOAo{ IP ӷ 192.168.100.100 ѬOcNJIAtAҥHAQnNM IP ʎӡA̫AҦD WWW ʥ]LANoTӳWhӻAAnp]wˇǩOH

    1. Rule 1 192.168.100.100 F
    2. Rule 2 AnD WWW AȪʥ]qLF
    3. Rule 3 NҦʥ]C

    o˪ƦCǴNŦXAݨDALAU@ADZƎhFAܦG

    1. Rule 1 nD WWW AȪʥ]qLF
    2. Rule 2 A 192.168.100.100 F
    3. Rule 3 NҦʥ]C

    ɡA 192.168.100.100 yiHϥΧA WWW AȡzIunLADEeX WWW nDʥ]ANiHϥΧA WWW \FA]AWhǩwqĤ@N|LqLAӤhҼ{ĤGWhIo˥iHzWhǪNqFܡI {bAӷQ@QApG Rule 1 ܦFyNҦʥ]zARule 2 ~]wyWWW Aȫʥ]qLzAаݡAڪ client iHϥΧڪ WWW AȶܡHI׬Oy_zQqFܡH ^_^


    pADϥ9.3.3 iptables (table) P (chain)

    WA 9.3-1 ҦCXWhȬO iptables hS@ (chain) ӤwC OOHoo iptables Wٻ_C٬ ip"tables" OH ]oӨṋhӪ (table) ACӪ泣wqXۤvw]FPWhA BCӪ檺γ~ۦPCڭ̥iHϥΩUoiϨӵyLA@UG

    iptables P}ܷN
    9.3-2Biptables P}ܷN

    9.3-1 WheȥuO 9.3-2 Y chain ӤwI ӹw]pUA Linux iptables ܤִNTӪA]A޲zEiX filter B޲zݥDE (Lq) nat B޲zSXAϥΪ mangle (֨ϥ) C󦳬ƪ̡AڭRiHۭqB~OI uOܯ_aICӪP䤤쪺γ~OOo˪G

    • filter (Lo)GDniJ Linux Eʥ]}AoӬOw] table I
      • INPUTGDnPQniJڭ Linux Eʥ]}F
      • OUTPUTGDnPڭ Linux EҭneXʥ]}F
      • FORWARDGoөNNP Linux ES}YA LiHy茻ʥ]zݪqAPUC nat table }ʸ@C

    • nat (}茂)GO Network Address Translation YgA oӪDnbiӷPت IP port 茂AP Linux EL}ADnP Linux DE᪺kq}C
      • PREROUTINGGbiѧP_eҭni檺Wh(DNAT/REDIRECT)
      • POSTROUTINGGbiѧP_ҭni檺Wh(SNAT/MASQUERADE)
      • OUTPUTGPoeXhʥ]}

    • mangle (}a)GoӪDnOPSʥ]ѺXA}A Ȧ PREROUTING OUTPUT ALq kernel 2.4.18 [JF INPUT FORWARD C ѩoӪPSXA}ʸ@AҥH^̳oRxªSA֨ϥ mangle oӪC

    ҥHApGA Linux O@ www AȡAn}ΤݹA www nD^RANonBz filter INPUT F ӦpGA Linux O@kѾANonR nat UH filter FORWARD ~C]NOA UӪ檺O}YI̔x}YiHѤUϳoݡG

    iptables ئUP쪺}
    9.3-3Biptables ئUP쪺}

    WϥܫܽzIL򥻤WÂHiHݥXӡAڭ̪ iptables iHTRʥ]yVG

    • ʥ]iJ Linux DEϥθ귽 (| A)G bѧP_TwOV Linux DEnDƪʥ]ADnN|zL filter INPUT Ӷi汱ޡF

    • ʥ]g Linux DE茻ASϥΥDE귽AӬOVݥDEy (| B)G bѧP_eiʥ]Y׭q@~Ao{ʥ]DnOnzLӥhݡAɫʥ]N|zL| B Ӷ]ʡC ]NOAMʥ]؊AëDڭ̪ Linux ECDngLO filter FORWARD H nat POSTROUTING, PREROUTINGC o| B ʥ]yVϥαpAڭ̷|bت 9.5 p`Ӹja@̔xC

    • ʥ] Linux EoeXh (| C)G Ҧp^RΤݪnDAΪ̬O Linux EDʰeXʥ]AOzL| C Ӷ]COzLѧP_A MwFKX|AAzL filter OUTPUT ӶǰeISMA̜RO|gL nat POSTROUTING C
    Tips:
    So{ӡyѧP_zOH]OUVAҥHiPXn}ӬݡI]AiJʥ]ݭnѧP_A eXʥ]SM]niѧP_~^oeXh[IAGH
    mϥ

    ѩ mangle oӪܤֳQϥΡApGN 9.3-3 mangle ܡANeݪhFG

    iptables ئUP쪺}(̔)
    9.3-4Biptables ئUP쪺}(̔)

    zL 9.3-4 ANiHPAAWPE̦}O filter oӪ椺 INPUT P OUTPUT oApGA iptables uOΨӫO@ Linux DEܡA nat WhڥNݭnzLA^]w}YiC

    LApGAWOΨӺި LAN LDEܡAANnAw filter FORWARD oAR nat PREROUTING, POSTROUTING H OUTPUT iB~Whqw~C nat 檺ϥλݭnܲMy~^]wnAijsnII̦hNO@VK nat \yIP ɾ\zNnFI ^_^Ioڭ̦bت̫@p`|TI


    pADϥ9.3.4 E iptables yk

    zAWASAwUn Linux AtRM|DʪDAŰʤ@VKWh~OA LoVKiOڭ̷QnҦA]ڭ̻ݭnB~i@ǭ׭q欰CLAb}li橳UmߤeA mo̦ӫܭnƱni@UC] iptables O|Nʥ]iLoΩתʧ@AҥHA ФnbhݥDEWi樾mA]Aܦi@p߱Nۤv}ba~I ɶqbEenJ tty1-tty6 EimߡA_h``|oʹd@[ImHeb iptables ɡAN``]p߳Wh]wh~AfP``nЭhݪBDs}E...

    责쫥̪ iptables ܤ֦Tӹw] table (filter, nat, mangle)A`ΪOE filter A o]Ow]TCt@ӫhOݥDE nat Aܩ mangle ֨ϥΡAҥHoӏظ`ڭ̨ä|QA mangleC ѩ󤣦P table L̪줣@ˡAfPϥΪOykΦhΤֳItC boӤp`SAڭ̥DnNw filter oӹw]檺TӰCUNӪ@aI

    Tips:
    ]wDnϥΪNO iptables oӫOӤwCӨOt޲zDnȤ@A BtvTSjA]yu root ϥ iptables zAAO]wRO[ԎWhI
    mϥ

    pADϥ9.3.4-1 Wh[ԎPM

    pGAbwUɭԿܨSܡA iptables b@}lɭRMOSWhALA i]AbwUɭԴNܨt۰DAإߨEAtN|w]WhFI LApAڭ̥ӬݬݥثeEWhOpaI

    [root@www ~]# iptables [-t tables] [-L] [-nv]
    ﶵPӋG
    -t G᭱^ table AҦp nat  filter AYٲءAhϥιw] filter
    -L GCXثe table Wh
    -n Gi IP P HOSTNAME ϬdAܰTt׷|֫ܦhI
    -v GCXhTA]AqLMWhʥ]`줸ӋB}
    
    dҡGCX filter table T쪺Wh
    [root@www ~]# iptables -L -n
    Chain INPUT (policy ACCEPT)   <==w INPUT ABw]Fi^
    target  prot opt source     destination <==
    ACCEPT  all  --  0.0.0.0/0  0.0.0.0/0   state RELATED,ESTABLISHED <== 1 Wh
    ACCEPT  icmp --  0.0.0.0/0  0.0.0.0/0                             <== 2 Wh
    ACCEPT  all  --  0.0.0.0/0  0.0.0.0/0                             <== 3 Wh
    ACCEPT  tcp  --  0.0.0.0/0  0.0.0.0/0   state NEW tcp dpt:22      <==HU
    REJECT  all  --  0.0.0.0/0  0.0.0.0/0   reject-with icmp-host-prohibited
    
    Chain FORWARD (policy ACCEPT)  <==w FORWARD ABw]Fi^
    target  prot opt source     destination
    REJECT  all  --  0.0.0.0/0  0.0.0.0/0   reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)  <==w OUTPUT ABw]Fi^
    target  prot opt source     destination
    
    dҡGCX nat table T쪺Wh
    [root@www ~]# iptables -t nat -L -n
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    

    bWAC@ Chain NOe쪺Co Chain @̭A policy NOw]FA U target, prot NOH

    • targetGNi檺ʧ@A ACCEPT OA REJECT hOʎA~A| DROP () ءI
    • protGNϥΪʥ]wADn tcp, udp icmp TRʥ]榡F
    • optGB~ﶵ
    • source GNWhOwӡyӷ IPzi歭H
    • destination GNWhOwӡy؊A IPzi歭H

    bKXGAĤ@ӽdҦ]S[W -t ﶵAҥHw]NO filter oӪ椺 INPUT, OUTPUT, FORWARD T쪺WhoCYwxEӻAINPUT P FORWARD OnިA ҥHAiHo{̫@WhFO REJECT (ʎ) IM INPUT P FORWARD FO (ACCEPT)A Lb̫@WhNwgNʥ]ʎFI

    LoӫO[ԎuO@Ӯ榡ƪd\AnNCӳWh|eRC|ҨӻA ڭ̱N INPUT 5 Wh̾ډKXGӻ@UAG|ܦG

    1. unOʥ]A RELATED,ESTABLISHED NH^
    2. unʥ]wO icmp ANH
    3. LAӷ (0.0.0.0/0) Bnh؊Aʥ]AAʥ]榡 (prot all)Aqq^
    4. unOǵ port 22 Dʦsu tcp ʥ]N^
    5. ʥ]Tqqʎ

    ̦êRMO 3 WhFA|Ҧʥ]TH^HpG^ܡA򪺳WhڥN|ιI WhOȰwCDEj (lo) TIpGSCXAڭ̴Nܮedho ҥHAӉmijϥ iptables-save oӫO[ԎWhTI] iptables-save |CX㪺WhAuOèSWƉKXӤwC

    [root@www ~]# iptables-save [-t table]
    ﶵPӋG
    -t GiHȰwYǪӉKXAҦpȰw nat  filter Ά
    
    [root@www ~]# iptables-save
    # Generated by iptables-save v1.4.7 on Fri Jul 22 15:51:52 2011
    *filter                      <==P}YOAo̬ filter
    :INPUT ACCEPT [0:0]          <==_}YOATت
    :FORWARD ACCEPT [0:0]        <==T쪺FO ACCEPT oI
    :OUTPUT ACCEPT [680:100461]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <==w INPUT Wh
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT  <==oܭnIw糧E}I
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited <==w FORWARD Wh
    COMMIT
    # Completed on Fri Jul 22 15:51:52 2011
    

    ѤWKXӬݡAuBet lo WhSAy -i lo zNO lo diӪʥ]I oˬݴNMEhFI]g줶}Y[I^e iptables -L -n IoAGI LAJMoӳWhOڭ̷QnAMpקWhOHmijARWhACCإߦUӻݭnWhI pMWhHo˰NFG

    [root@www ~]# iptables [-t tables] [-FXZ]
    ﶵPӋG
    -F GMҦwqwWhF
    -X GҦϥΪ "ۭq"  chain (RMO tables ^oF
    -Z GNҦ chain pӋPyqpks
    
    dҡGME (filter) ҦWh
    [root@www ~]# iptables -F
    [root@www ~]# iptables -X
    [root@www ~]# iptables -Z
    

    ѩoTӫO|NEҦWhMAo|ܹw]F (policy) A ҥHpGAObEUFoTOɡAܥiA|Qۤvצba~ (Y INPUT ]w DROP )Inpߔ[I

    @ӻAڭ̦bswqɭԡA|NWhLMCROoڭ̫eͨ쪺A yWhǡzOSNqAҥHoA SMMWhAM@@ӳ]w|e@ITCUNӽͽͩwqw]FaI


    pADϥ9.3.4-2 wqw]F (policy)

    MWhAA^UӴNOn]wWhFTIROoFOܡHy SAʥ]bA]wWhɡAhMʥ]qLP_AOH Policy ]wzAbE譱w]FA]A󤺈ϥΪ̦HߪܡA filter INPUT 譱iHwqY@IA FORWARD P OUTPUT hiHqwP@ǡIq`mON INPUT policy wq DROP TALӫhwq ACCEPTC ܩ nat table hȮɥz|LC

    [root@www ~]# iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
    ﶵPӋG
    -P GwqF( Policy )C`NAo P jg[I
    ACCEPT GMʥ]i^
    DROP   GMʥ]^A| client ݪDQC
    
    dҡGNE INPUT ]w DROP AL]w ACCEPT
    [root@www ~]# iptables -P INPUT   DROP
    [root@www ~]# iptables -P OUTPUT  ACCEPT
    [root@www ~]# iptables -P FORWARD ACCEPT
    [root@www ~]# iptables-save
    # Generated by iptables-save v1.4.7 on Fri Jul 22 15:56:34 2011
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    # Completed on Fri Jul 22 15:56:34 2011
    # ѩ INPUT ]w DROP ӤS|WhAҥHWKXGܡG
    # Ҧʥ]LkiJADEIOq]wI(suOUV)
    

    ݨKXGFaHINPUT QקF]wIL nat table T쪺w]F]w]O@˪覡AҦpGy iptables -t nat -P PREROUTING ACCEPT zN]wF nat table PREROUTING 쬰i^NIw]F]wܫAӽͤ@}UWhʥ]]waC


    pADϥ9.3.4-3 ʥ]GIP, kΤUm

    }lӶi樾Whʥ]]waIJMOںAڭ̴Nѳ̰䪺 IP, kΰfAYO OSI ĤThͰ_AAӽͽ͗Um (d) ΆΡCo@p`PU@p`ykA@wnOA]oO̰䪺ykI

    [root@www ~]# iptables [-AI W] [-io ] [-p w] \
    > [-s ӷIP/k] [-d ؊AIP/k] -j [ACCEPT|DROP|REJECT|LOG]
    ﶵPӋG
    -AI WGwYiWh "AJ"  "}["
        -A GsW[@WhAMWhW[b쥻Wh̫᭱CҦp쥻wg|WhA
             ϥ -A NiH[WĤWhI
        -I GAJ@WhCpGSwWhǡAw]OAJܦĤ@WhC
             Ҧp쥻|WhAϥ -I hMWhܦĤ@Aӭ쥻|ܦ 2~5 
         G INPUT, OUTPUT, FORWARD ΡAW٤SP -io }AЬݩUC
    
    -io G]wʥ]iXWd
        -i Gʥ]ҶiJӺAҦp eth0, lo ΤCݻP INPUT tXF
        -o Gʥ]ҶǥXӺAݻP OUTPUT tXF
    
    -p wG]wWhAΩRʥ]榡
       Dnʥ]榡G tcp, udp, icmp  all C
    
    -s ӷ IP/kG]wWhʥ]ӷءAiwxª IP Υ]AkAҦpG
       IP  G192.168.0.100
       kG192.168.0.0/24, 192.168.0.0/255.255.255.0 iC
       YWdy\zɡAh[W ! YiAҦpG
       -s ! 192.168.100.0/24 ܤ\ 192.168.100.0/24 ʥ]ӷF
    
    -d ؊A IP/kGP -s AuLo̫O؊A IP κkC
    
    -j G᭱^ʧ@ADnʧ@^(ACCEPT)B(DROP)Bʎ(REJECT)ΰO(LOG)
    

    iptables 򥻰ӋNpPWҥܪAȥuͨ IP BkPUmΆΪTA ܩ TCP, UDP ʥ]Sf (port number) PA (p SYN XA) hbUp`~|ͨC nAڭ̨Ӭݬݳ̰䪺XӳWhAҦp} lo oӥEHάY IP ӷaI

    dҡG]w lo HUmAYiX lo ʥ]H^
    [root@www ~]# iptables -A INPUT -i lo -j ACCEPT
    

    JNݤWèSCX -s, -d ΆΪWhAoܡGAʥ]ӦۦBΥh̡AunOӦ lo oӤANH^Io[nANOySwءAhMا^zNI ҦpoӮרSA} -s, -d...ΆΪӋSWwɡANNAȳ|Q^oC

    oNOҿתHUmTIpADEiAӺdA䤤@iO鷺kA]MdN eth1 nFA pGkOiHAMdiXʥ]Nqq|Q^AAN^ΡGyiptables -A INPUT -i eth1 -j ACCEPTz ӱNMUm]wHUmCLAUFoӫOenSO`NA]oˆΩMdS󨾷QFI

    dҡGunOӦۤ (192.168.100.0/24) ʥ]qq^
    [root@www ~]# iptables -A INPUT -i eth1 -s 192.168.100.0/24 -j ACCEPT
    # ѩON^A]]iH٤yHkzoC
    
    dҡGunOӦ 192.168.100.10 N^A 192.168.100.230 oӴcNӷN
    [root@www ~]# iptables -A INPUT -i eth1 -s 192.168.100.10 -j ACCEPT
    [root@www ~]# iptables -A INPUT -i eth1 -s 192.168.100.230 -j DROP
    # wx@ IP ӷAiHDEΪ̬OHcNӷI
    
    [root@www ~]# iptables-save
    # Generated by iptables-save v1.4.7 on Fri Jul 22 16:00:43 2011
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [17:1724]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s 192.168.100.0/24 -i eth1 -j ACCEPT
    -A INPUT -s 192.168.100.10/32 -i eth1 -j ACCEPT
    -A INPUT -s 192.168.100.230/32 -i eth1 -j DROP
    COMMIT
    # Completed on Fri Jul 22 16:00:43 2011
    

    oNOx̔xWh]wP[Ԏ覡CLAbWרҤAA]o{즳Whi঳D NOWSr_ӪWhǡCwgF 192.168.100.0/24 FAҥH 192.168.100.230 WhNi|QΨIoNOD]w[IAGHMHN[I@_@I pGAQnOYӳWhHiHo˰G

    [root@www ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
    [root@www ~]# iptables -L -n
    target prot opt source         destination
    LOG    all  --  192.168.2.200  0.0.0.0/0   LOG flags 0 level 4
    

    ݨKXG̥A|X{O LOG Iunʥ]Ӧ 192.168.2.200 o IP ɡA Mʥ]}TN|QgJ֤߰TAYO /var/log/messages oɮSC MMʥ]|~i򪺳WhCҥHA LOG oӰʧ@ȦbiOӤwAä|vToӫʥ]LWh諸C nFA^Uӧڭ̤OӬݬ TCP,UDP H ICMP ʥ]LWhaI


    pADϥ9.3.4-4 TCP, UDP WhGwf]w

    ڭ̦bĤGغ͹LURPʥ]榡A bͨ TCP P UDP ɡASNOӰf (port)Ab TCP 譱ht~ҿתsuʥ]AA ]A̱` SYN Dʳsuʥ]榡CpwoRʥ]榡i樾Wh]wOHAiHoˬݡG

    [root@www ~]# iptables [-AI ] [-io ] [-p tcp,udp] \
    > [-s ӷIP/k] [--sport fd] \
    > [-d ؊AIP/k] [--dport fd] -j [ACCEPT|DROP|REJECT]
    ﶵPӋG
    --sport fdGӷfXAfXiHOs򪺡AҦp 1024:65535
    --dport fdG؊AfXC
    

    WNOhF --sport --dport oӪNAIb port WTI LAonSO`NA]Ȧ tcp P udp ʥ]㦳fA]AQnϥ --dport, --sport ɡAon[W -p tcp -p udp Ӌ~|\IUڭ̨ӶiXӤpG

    dҡGQnsuiJE port 21 ʥ]ױG
    [root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
    
    dҡGQsڳoDE (upd port 137,138 tcp port 139,445) N
    [root@www ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
    [root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
    [root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT
    

    @IAiHQ UDP P TCP wҾ֦fXӶiYǪAȪ}}IARiHXBzOIҦpGunӦ 192.168.1.0/24 1024:65535 fʥ]ABQnsu쥻E ssh port NHסAiHo˰G

    [root@www ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
    > --sport 1024:65534 --dport ssh -j DROP
    

    pGѰO[W -p tcp NϥΤF --dport ɡA|oԣDOH

    [root@www ~]# iptables -A INPUT -i eth0 --dport 21 -j DROP
    iptables v1.4.7: unknown option `--dport'
    Try `iptables -h' or 'iptables --help' for more information.
    

    ARM|\oܩ_ǡAy --dport z|OӋ (arg) OHoO]AS[W -p tcp -p udp tG[IܭnI

    Ff~Ab TCP RSXA[I̱`NOӥDʳsu SYN XAFC ڭ̦b iptables ̭R䴩y --syn zBz覡Aڭ̥HUҤlӻnFG

    dҡGNӦۥaӷ port 1:1023 Dʳsu쥻Eݪ 1:1023 su
    [root@www ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 \
    > --dport 1:1023 --syn -j DROP
    

    @ӻAclient ݎťΪ port Oj 1024 HWfA server ݫhOťΤp 1023 HUfboCҥHڭ̥iHӦۭhݪp 1023 HUfƪDʳsuLI AΦb FTP DʳsuIoڭ̥ӦbGQ@ت FTP AAӽͧaI


    pADϥ9.3.4-5 iptables ~œGmac P state

    b kernel 2.2 Heϥ ipchains ޲zɡAq`|t޲zSYhI] ipchains Sҿתʥ]AœA]ڭ̥nwʥ]iBXViޱC|ҨӻApGAQnsuhݥDE port 22 ɡAAnwWhӳ]wG

    • Eݪ 1024:65535 hݪ port 22 n (OUTPUT )F
    • hݥDE port 22 쥻E 1024:65535 (INPUT )F

    o|ꐷСI]pGAnsu 10 DE port 22 ɡA] OUTPUT w]} (ACCEPT)A ÂHݭngQWhAQhݥDE port 22 iHsuAaݥDEWC pG}ť port 22 OHS߬YǴcNDE|DʥH port 22 suAEWI P˪DzApGAnaݥDEiHs~ port 80 (WWW A)AN󤣱oF oNOsuOUV@ӫܭnyI

    nbڭ̪ iptables KFoӧxZILiHzL@ӪAœӤR yoӷQniJʥ]O_ڵoXh^RHz pGOڵoXh^RANiHH^IzIuΡIo˴NκޭhݥDEO_suiӪDFI pFOHݬݩUykG

    [root@www ~]# iptables -A INPUT [-m state] [--state A]
    ﶵPӋG
    -m G@ iptables ~œADn`G
         state GAœ
         mac   Gdw} (hardware address)
    --state G@ǫʥ]AADnG
         INVALID    GLĪʥ]AҦpƯ}lʥ]A
         ESTABLISHEDGwgsu\suAF
         NEW        GQnsإ߳suʥ]AF
         RELATED    Goӳ̱`ΡIܳoӫʥ]OPڭ̥DEoeXhʥ]}
    
    dҡGunwإߩά}ʥ]NHqLAunOXkʥ]N
    [root@www ~]# iptables -A INPUT -m state \
    > --state RELATED,ESTABLISHED -j ACCEPT
    [root@www ~]# iptables -A INPUT -m state --state INVALID -j DROP
    

    p@ӡAڭ̪ iptables N|DʤRXMʥ]O_^RAAYOܡAN^H^CI oˤ@ӧANݭnw^Rʥ]ӼgӧOWhFIouOӴΤFIUڭ~ͤ@U iptables t@ӥ~A NOwdӶiPmG

    dҡGwk aa:bb:cc:dd:ee:ff DE}su
    [root@www ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff \
    > -j ACCEPT
    ﶵPӋG
    --mac-source GNOӷDE MAC TI
    

    pGAϺSYǺ@AѬOiHzLק IP hzLѾ~]AAMH DNӰϺʎHäݭnAAiHzLeͨ쪺 ARP }yAh쨺DE MAC AMzLWYoEA NMDE DROP YiCޥLF IP ADLDAOκd MAC Ӻ޲zA_hLNOXhTIAGH

    Tips:
    MAC ]OiHUAiHzLYdznӭקd MACCLAo̧ڭ̬O] MAC OLkק諸pӻC ~AMAC OwѪA]WzרҤ~SOObϺAӤO Internet ~ӷI
    mϥ

    pADϥ9.3.4-6 ICMP ʥ]WhGwO_^R ping ӳ]p

    bĤG ICMP wSڭ̪D ICMP ShAӥBܦh ICMP ʥ]OFnΨӶi˴ΪIҥH̦nnNҦ ICMP ʥ]IpGOѾDEɡAq`ڭ̷| ICMP type 8 (echo request) ӤwAhݥDEDڭ̬O_sbA]|^ ping ^RNOFCICMP ʥ]榡BzOo˪G

    [root@www ~]# iptables -A INPUT [-p icmp] [--icmp-type ] -j ACCEPT
    ﶵPӋG
    --icmp-type G᭱n^ ICMP ʥ]A]iHϥΥNA
                  Ҧp 8  N echo request NC
    
    dҡG 0,3,4,11,12,14,16,18  ICMP type iHiJEG
    [root@www ~]# vi somefile
    #!/bin/bash
    icmp_type="0 3 4 11 12 14 16 18"
    for typeicmp in $icmp_type
    do
       iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
    done
    
    [root@www ~]# sh  somefile
    

    o˴N^} ICMP ʥ]榡iJEi˴u@FILApGADEO@ϺѾA ij icmp ʥ]ROnqq~nIoO]Τ˴ɡA``|ϥ ping ӴѾuO_ZqGI ҥHnNѾ icmp }A|pTI


    pADϥ9.3.4-7 WVKΤݨ]pPWhxs

    gLWzE iptables ykRA^Uӧڭ̨ӷQQApGbΤݥBѺAȪ Linux EɡA ARMnp]pAOHAAunRL CentOS w]WhN|DFAzAWA RMnWhpUG

    1. WhksGMҦwgsbWh (iptables -F...)
    2. w]FGF INPUT oӦۭq] DROP ~ALw] ACCEPTF
    3. HEGѩ lo 糧EӻOSnA] lo ]wHUmF
    4. ^Rʥ]GEDʦV~nDӦ^Rʥ]iHiJE (ESTABLISHED,RELATED)
    5. HΤGoODnApGAQnϺӷiΧADE귽

    oNO̳VKAAiHzLĤGBJשҦhݪӷʥ]AӳzLĥ|BJAnDhݥDE^Rʥ]iHiJA [WE lo oӤjUmiHAKKI@ client MΪWhN OK FIAiHbY script Wo˰YiG

    [root@www ~]# vim bin/firewall.sh
    #!/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH
    
    # 1. MWh
    iptables -F
    iptables -X
    iptables -Z
    
    # 2. ]wF
    iptables -P   INPUT DROP
    iptables -P  OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # 3~5. qUWh
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    #iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
    
    # 6. gJWh]w
    /etc/init.d/iptables save
    
    [root@www ~]# sh bin/firewall.sh
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
    

    ]O@ӪAȡAAiHzLychkconfig --list iptableszhԎݴNDFC ]AAoק諸UR]wQnbU}EROsANoniy /etc/init.d/iptables save zoӫO[ӋC ]Am{bONxsʧ@gJo firewall.sh }Ax¨oI{bAA Linux DEwgSO@FA uOpGQn@AAΪ̬O@ѾANonۦ[WYǦۭqWhoC

    Tips:
    ApGA Linux ^xܡA^hק /etc/sysconfig/iptables MN iptables oӪA restartA AWhNO|b}EsboILAmӤHROwg scripts NOFC
    mϥ

    qnWhSMNOnoIpOH

    1. ѥDEV~DʳsuݬݡF
    2. AѨpk PC V~DʳsuݬݡF
    3. ̫A Internet WDEADʳsuA Linux DEݬݡF

    @B@B@UӡAݬݰDXb̡AMhhhiB}I򥻤WAWثeܦhƥiHѧAhѦҤFI o@g]wgO̔xAjRb픬qӤwIƱjaDUI mbѦҸ(2)SCXXӦΪAƱjaůunhhhݬݡI|ܦDUI


    pADϥ9.3.5 IPv4 ֤ߺ޲z\G /proc/sys/net/ipv4/*

    F iptables oӨn餧~A Linux kernel 2.6 ѫܦh֤߹w]@EI ѩO֤ߪ\AҥH}]wƳOmb /proc/sys/net/ipv4/ oӥؿSC ܩMؿUUɮתNơAiHѦҮ֤ߪ (AonwU kernel-doc n)G

    • /usr/share/doc/kernel-doc-2.6.32/Documentation/networking/ip-sysctl.txt

    mo̤]@QG

    êRMnۦhd@dnIڭ̩UNX̔xɮרӧ@aI


    • /proc/sys/net/ipv4/tcp_syncookies

      ڭ̦be@ؽͨҿת_A (DoS) @kS@R覡ANOQ TCP ʥ] SYN TV洤zҹFA oR覡٬ SYN Flooding CpwoR覡@OHڭ̥iHťή֤ߪ SYN Cookie œ[I o SYN Cookie œiHbtΨӎŰHEsuf (1024:65535) YNΧɦ۰ʎŰʡC

      SŰ SYN Cookie ɡADEboe SYN/ACK T{ʥ]eA|nD Client ݦbuɶ^@ӧǸAoӧǸ]t\h쥻 SYN ʥ]TA]A IPBport ΡCY Client ݥiH^TǸADENTwMʥ]iHA]|oe SYN/ACK ʥ]A_hNz|@ʥ]C

      zL@EiHjjCLĪ SYN ΫݰfAקK SYN Flooding DoS @I pŰʳoӼœOH̔xAo˰YiG
      [root@www ~]# echo "1" > /proc/sys/net/ipv4/tcp_syncookies
      
      Ooӳ]wȥѩH TCP TV洤 (]DEboe SYN/ACK eݭnΫ client Ǹ^R)A ҥHi|yYǪAȪ{HAҦp SMTP (mail server)C L`ӻAoӳ]wROhΪI uOAXΦbtwg@AI ]t@DEɷ|֤߻~PD SYN Flooding @OC

      pGOFt TCP ʥ]sųΤơAhiHѦ tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow oXӳ]wȪNqC


    • /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

      _Aȱ`O SYN Flooding ALAڭ̪DtiH^ϥ ping ^RA ping ʥ]ƶqOiHܤjIQ^@ӪpA pGӷd}aHϥ 1000 xDEǰe ping ADEAӥBC ping @FӋ K bytesɡA AWe|ˡHnNOWeQYAnit|SEI oR覡OQ٬ ping flooding (_o ping) ping of death (oej ping ʥ])C

      pקKOH ICMP 8 ICMP ʥ]^RNOFCڭ̥iHzLөסA o]Oij覡CSM]iH֤ߦ۰ʨ ping ^RCLAnAA Yǰk`A (ҦpʺA IP t DHCP w) |ϥ ping 覡ӰO_ƪ IP AҥHA̦nnҦ ping ^RnC

      ֤ߨ ping ^R]wȦӡAOOG/proc/sys/net/ipv4 icmp_echo_ignore_broadcasts (Ȧ ping broadcast }ɤ~ ping ^R) icmp_echo_ignore_all ( ping ^R)Cmij]w icmp_echo_ignore_broadcasts NnFC AiHo򰵡G
      [root@www ~]# echo "1" >  \
      > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
      

    • /proc/sys/net/ipv4/conf//*

      ̪֤RiHw藍Pi椣@˪Ӌ]wI}]wmb /proc/sys/net/ipv4/conf/ SACӤHNNAҦp eth0 }]wƦb /proc/sys/net/ipv4/conf/eth0/ C]wƦǤݭn`NOH jyUoXӡG

      • rp_filterG٬fV|Lo (Reverse Path Filtering)A iH]ѤRѸTtXʥ]ӷ}AӤRMʥ]O_XzC|ҨӻAAidAeth0 192.168.1.10/24 Aeth1 public IP CS@ӫʥ]ۺ٨Ӧ eth1 AO IP ӷ 192.168.1.200 A oӫʥ]NXzARHCoӳ]wȫijiHŰʪC

      • log_martiansGoӳ]wƥiHΨӎŰʰOXk IP ӷA |ҨӻA]Aӷ 0.0.0.0B127.x.x.xB Class E IP ӷA]oǨӷ IP RMRΩ Internet [C Oƹw]m֤ߩmn /var/log/messagesC

      • accept_source_routeGγ\YǸѾ|Űʳoӳ]wȡA Lثe]Qܤ֨ϥΨoRӷѡAAiHoӳ]wȡC

      • accept_redirectsGSAbP@k[]@ѾA ok IP kAҦp 192.168.0.0/24, 192.168.1.0/24CɧA 192.168.0.100 QnV 192.168.1.100 ǰeTɡAѾi|ǰe@ ICMP redirect ʥ]i 192.168.0.100 ^ǰeƵ 192.168.1.100 YiAӤݳzLѾC] 192.168.0.100 P 192.168.1.100TObP@uW (̥iH^q)AҥHѾ|iӷ IP ϥγ̵u|hǻơCDEbP IP qAoOLkڶǻTIoӳ]w]i|ͤ@ǻLwIAҥHij}LC

      • send_redirectsGPW@AuOȬoe@ ICMP redirect ʥ]C P˫ij}C(WAmNgFo ICMP redirect D˸I} redirect oӶاYi[I)

      MAiHϥΡy echo "1" > /proc/sys/net/ipv4/conf/???/rp_filter zkӎŰʳoӶءALA mijקt]wȡANO /etc/sysctl.conf oɮסI]ڭ̶Ȧ eth0 oӤAӤAӥBWz\nqqŰʡA AiHo˰G
      [root@www ~]# vim /etc/sysctl.conf
      # Adding by VBird 2011/01/28
      net.ipv4.tcp_syncookies = 1
      net.ipv4.icmp_echo_ignore_broadcasts = 1
      net.ipv4.conf.all.rp_filter = 1
      net.ipv4.conf.default.rp_filter = 1
      net.ipv4.conf.eth0.rp_filter = 1
      net.ipv4.conf.lo.rp_filter = 1
      ....(HUٲ)....
      
      [root@www ~]# sysctl -p
      

    jADϥ9.4 xE@

    FohykP}`NƶAnӬ[]FCmROnϥθ}ӼgA MzL̜檺 /etc/init.d/iptables save ӱNGxs /etc/sysconfig/iptables hI ӥB@SRiHΦbIsL scripts AiHWh㦳FϥΤ覡C nFANӽͽͦp]w̪WhaI



    pADϥ9.4.1 Wh[

    mUoӨAiHΨӧ@ѾWA]iHΨӧ@EC ]wsupPUϩҥܡA Linux DE]O LAN ѾIYO@̔x IP ɾ\TI̾ڲĤTت 3.2-1 ]mUoǡG

    • ~ϥ eth0 (pGOD^AiO ppp0AаwAӳ]w)F
    • ϥ eth1 ABϥ 192.168.100.0/24 o Class F
    • DEw]}񪺪AȦ WWW, SSH, https ΆΡF
    @ӰkѾ[cܷN
    9.4-1B@ӰkѾ[cܷN

    ѩƱNHk (LAN) PHk (Internet) Ӥ}@IA ҥHƱAiHb Linux WwUHWdANd^bPkAo˥iHקKܦhDC ܩ̭nFOGy}ҦsuAȶ}SwAzҦC ӥB]ϥΪ̤wgL}nVmA]b filter table Tӹw]FOG

    • INPUT DROP
    • OUTPUT FORWARD ACCEPT

    mUwpѪy{Oo˪G

    EWhy{ܷN
    9.4-2BEWhy{ܷN

    hWA LAN DEPDE}׫@A] Output P Forward O}񤣲zIpaxDEOiH^A]ڭ̤qӋqhAӥBHOxA ҥHݭnSO[HޡIOGybj~Ao˪WُOܤX檺A ]AOҤҦHiHӧAWwӨϥ Network Iz]NOyaRzrI ]A˪s Output P Forward ݭnSO[H޲z~I


    pADϥ9.4.2 ڳ]w

    WAڭ̦b]wɭԡAӥi|@Ӥ@ӫOKJAq`OQ shell scripts Dڭ̹Fo˪\oIUOQΤWy{ϩҳWُXӪ}AAiHѦҬݬݡA OAݭnNק令AXAۤv~I~AFӭק@KAmN script TAOOG

    • iptables.ruleG]w̰򥻪WhA]AMWhBJœB]wAȥi^ΡF
    • iptables.denyG]w׬YǴcNDEiJF
    • iptables.allowG]w\YǦۭqӷDEI

    mӤHߺDONoӸ}m /usr/local/virus/iptables ؿUAA]iHۦmۤvߺDmhC UN@@o}OgaI

    [root@www ~]# mkdir -p /usr/local/virus/iptables
    [root@www ~]# cd /usr/local/virus/iptables
    [root@www iptables]# vim iptables.rule
    #!/bin/bash
    
    # ХKJz}ӋAnKJh~FI
      EXTIF="eth0"             # oӬOiHsW Public IP 
      INIF="eth1"              #  LAN s^FYLhg INIF=""
      INNET="192.168.100.0/24" # YLkAАg INNET=""
      export EXTIF INIF INNET
    
    # Ĥ@Aw糧E]wI##########################################
    # 1. ]wn֤ߪ\G
      echo "1" > /proc/sys/net/ipv4/tcp_syncookies
      echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
      for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
            echo "1" > $i
      done
      for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
    send_redirects}; do
            echo "0" > $i
      done
    
    # 2. MWhB]ww]Fζ} lo P}]w
      PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
      iptables -F
      iptables -X
      iptables -Z
      iptables -P INPUT   DROP
      iptables -P OUTPUT  ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # 3. ŰB~ script œ
      if [ -f /usr/local/virus/iptables/iptables.deny ]; then
            sh /usr/local/virus/iptables/iptables.deny
      fi
      if [ -f /usr/local/virus/iptables/iptables.allow ]; then
            sh /usr/local/virus/iptables/iptables.allow
      fi
      if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
            sh /usr/local/virus/httpd-err/iptables.http
      fi
    
    # 4. \Y ICMP ʥ]iJ
      AICMP="0 3 3/4 4 11 12 14 16 18"
      for tyicmp in $AICMP
      do
        iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
      done
    
    # 5. \YǪAȪiJAШ̷ӧAۤv}
    # iptables -A INPUT -p TCP -i $EXTIF --dport  21 --sport 1024:65534 -j ACCEPT # FTP
    # iptables -A INPUT -p TCP -i $EXTIF --dport  22 --sport 1024:65534 -j ACCEPT # SSH
    # iptables -A INPUT -p TCP -i $EXTIF --dport  25 --sport 1024:65534 -j ACCEPT # SMTP
    # iptables -A INPUT -p UDP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS
    # iptables -A INPUT -p TCP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS
    # iptables -A INPUT -p TCP -i $EXTIF --dport  80 --sport 1024:65534 -j ACCEPT # WWW
    # iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
    # iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS
    
    
    # ĤGAwݥDE]wI###############################
    # 1. J@ǦΪœ
      modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack 
    ip_conntrack_ftp ip_conntrack_irc"
      for mod in $modules
      do
          testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
          if [ "$testmod" == "" ]; then
                modprobe $mod
          fi
      done
    
    # 2. M NAT table WhaI
      iptables -F -t nat
      iptables -X -t nat
      iptables -Z -t nat
      iptables -t nat -P PREROUTING  ACCEPT
      iptables -t nat -P POSTROUTING ACCEPT
      iptables -t nat -P OUTPUT      ACCEPT
    
    # 3. Ysb (Ud) }񦨬ѾAB IP ɾI
      if [ "$INIF" != "" ]; then
        iptables -A INPUT -i $INIF -j ACCEPT
        echo "1" > /proc/sys/net/ipv4/ip_forward
        if [ "$INNET" != "" ]; then
            for innet in $INNET
            do
                iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
            done
        fi
      fi
      # pGA MSN @LksuAΪ̬OYǺ OK YǺ OKA
      # iO MTU DAAiHNUo@浹LӎŰ MTU d
      # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
      #          --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
    
    # 4. NAT Aݪ LAN ~A]w
    # iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
    #          -j DNAT --to-destination 192.168.1.210:80 # WWW
    
    # 5. S\A]A Windows hݮୱҲͪWhA]ୱDE 1.2.3.4
    # iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --dport 6000 \
    #          -j DNAT --to-destination 192.168.100.10
    # iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --sport 3389 \
    #          -j DNAT --to-destination 192.168.100.20
    
    # 6. ̜Noǥ\xsUӧaI
      /etc/init.d/iptables save
    

    SOdNW{XSrA򥻤WAAunק@ṲW誺A RMN^B@oӨFCL]CӤH쳣ۦPA ]Ab]wÂHݭn@U~IMAXFDnǧڔ[I.... AӬݤ@U} iptables.allow eOpHpڭn@ 140.116.44.0/24 oӺkҦDEӷiHiJڪDEܡAoɮתeiHgoˡG

    [root@www iptables]# vim iptables.allow
    #!/bin/bash
    # UhgA\iJELkΥDE[I
      iptables -A INPUT -i $EXTIF -s 140.116.44.0/24 -j ACCEPT
    
    # UhO}תɮ׳]wkI
    [root@www iptables]# vim iptables.deny
    #!/bin/bash
    # UgOyAnתөNNIz
      iptables -A INPUT -i $EXTIF -s 140.116.44.254 -j DROP
    
    [root@www iptables]# chmod 700 iptables.*
    

    NoTɮתv]w 700 Buݩ root vAN^^ iptables.rule oI Ln`NOAbWרSAmw]NҦAȪqDO}I ҥHAnE 5 BJBN@ǵŸ (#) }~C P˪ApGLh port Qn}ŮɡA@˻ݭnW[B~Wh~I

    LAROpPeڭ̩һAo firewall ȯണѰ򥻪w@AL}DRݭnAOI ~ApGAƱ@}EN۰ʰo script ܡAбNoɮתɦWgJ /etc/rc.d/rc.local SAI^UoˡG

    [root@www ~]# vim /etc/rc.d/rc.local
    ....(Lٲ)....
    # 1. Firewall
    /usr/local/virus/iptables/iptables.rule
    

    WAoӸ}̩Uwg[JgJw]Whɪ\AҥHAun@AN֦̥TWhFI Wz rc.local ȬOwU@ӤwC ^_^IWzTɮ׽ЧAnb Windows tWs~ǰe Linux WB@A] Windows t_rDANifPMɮ׵LkCijA^쩳UhUAǰe Linux iHQ dos2unix Oh茂_rIN|DI

    oNO@ӳ̔xBVKCPɡAoӨRiH㦳VK IP ɾ\OI ]NOb iptables.rule oɮSĤGFC oڭ̦bU@`|A~򤶚C


    jADϥ9.5 NAT A]w

    IIIӨoӦaFIڭ̷ǷQn[]@ѾAAN٤ NAT AC NAT OOH̔xAAiH٥L LAN DEy IP ɾzTI

    NAT WO Network Address TranslationArWNOy}茂zCѦrWNڭ̨ӷQ@QA TCP/IP ʥ]O IP }ܡH IP }OӷPتܡHڭ̪ iptables ON^ק IP ʥ]YơA KKIs؊AΨӷ IP }iHקOIƦܳs TCP ʥ]Y port number ]קIuOáI

    NAT A\iHF 9.1-2Ҥ IP ɪ\ध~A RiHF 9.1-4Ҥ DMZ (Dxư) \IoMڭ̪ NAT OקG (1)ӷ IP RO (2)؊A IP IUڭ̴NӃԤ@ԧaI ^_^



    pADϥ9.5.1 O NATH SNATH DNATH

    bͨ NAT ڹB@eAڭ̦AӬݤ@U̔xʥ]zL iptables ӶǰeݥDEPy{(ЩeѦ 9.3-4)C SGup 9.1-2[cAY LAN @DEQnǰeʥ]XhɡA oӫʥ]npzL Linux DEӶǰeXhHLOo˪G

    1. gL NAT table PREROUTING F
    2. gѸѧP_Twoӫʥ]OniJEP_AYiJEAhU@BF
    3. AgL Filter table FORWARD F
    4. qL NAT table POSTROUTING A̫ǰeXhC

    NAT AINbWy{ 1,4 BJA]NO NAT table nGPREROUTING P POSTROUTINGC o즳򭫭n\OHIbק IP IOoק諸 IP O@˪I POSTROUTING bקӷ IP APREROUTING hbק؊A IP C ѩק諸 IP @ˡAҥHN٬ӷ NAT (Source NAT, SNAT) Υ؊A NAT (Destination NAT, DNAT)Cڭ̥ӽͤ@ IP ɾ\઺ SNAT aI



    • ӷ NAT, SNATGקʥ]Yyӷz

      ARMoL IP ɾoӪNALiHAax̪nXDEPɳzL@ ADSL su Internet WA Ҧp 9.1-2su覡ӻA Linux DENO IP ɾTILOpF IP ɪ\HNOzL NAT 檺 POSTROUTING ӳBzC]AGup 9.1-2ҥܡA NAT AOpBzoӫʥ]OH

      SNAT ʥ]ǰeXhܷN
      9.5-1BSNAT ʥ]ǰeXhܷN

      pWϩҥܡAbΤ 192.168.1.100 oDEnsu http://tw.yahoo.com hɡALʥ]Y|pܤơH

      1. ΤݩҵoXʥ]YAӷ|O 192.168.1.100 AMǰe NAT oDEF
      2. NAT oDE (192.168.1.2) ^oӫʥ]A|DʤRYơA ]YܥتëD Linux EAҥH}lgLA Nʥ]茨iHs^ Internet Public IP BF
      3. ѩ private IP P public IP बqAҥH Linux DEzL iptables NAT table Postrouting Nʥ]YӷU Linux Public IP AåBNӤPӷ (192.168.1.100 public IP) ʥ]RgJȦsOSA MNʥ]ǰeXhFF

      Internet Wݨoӫʥ]ɡAu|Doӫʥ]Ӧۨ Public IP ӤDOӦۤTC nFApG Internet ^ǫʥ]OHS|@H

      SNAT ʥ]^ܷN
      9.5-2BSNAT ʥ]^ܷN

      1. b Internet WDE^oӫʥ]ɡA|N^Rƶǰe Public IP DEF
      2. S Linux NAT AӦ Internet ^Rʥ]A|RMʥ]ǸAäOOSơA ѩo{Mʥ]ݥDEeǰeXhA]b NAT Prerouting 줤A|N؊A IP ק令ݥDEAY 192.168.1.100AMo{؊AwgOE (public IP)A ҥH}lzLѤRʥ]yVF
      3. ʥ]|ǰe 192.168.1.2 oӤAMAǰe̜؊A 192.168.1.100 EWhI

      gLoӬy{AANiHo{AҦ LAN DEiHzLo NAT AsuXhA Ӥjab Internet Wݨ쪺OP@ IP (NO NAT DE public IP TI)A ҥHApG LAN DESsWܡA򤺈DEO㦳@w{תwʪTI ] Internet WLDESkDʧ@A LAN PC IҥHڭ̤~|A NAT ̔x\NO IP ɾTI]O SNAT @RC
      Tips:
      NAT APѾԣPH򥻤WANAT A@wOѾALA NAT Aѩ|ק IP YơA ]Px茻ʥ]ѾPC̱` IP ɾNO@ӸѾAOo IP ɾ@w|@ Public IP P@ Private IPA LAN Private IP iHzL IP ɾ Public IP ǰeXhI ܩѾq`O Public IP ΦPɬ Private IPC
      mϥ

    • ؊A NAT, DNATGקʥ]Yy؊Az

      SNAT DnORI LAN s^ Internet ϥΤ覡Aܩ DNAT hDnΦbDEQn[]iH Internet sATI NI 9.1-4 DMZ A[IU]ӽͤ@ DNAT B@aI

      DNAT ʥ]ǰeܷN
      9.5-3BDNAT ʥ]ǰeܷN

      pWϩҥܡA]ڪDE 192.168.1.210 ŰʤF WWW AȡAoӪAȪ port }Ŧb port 80 A Internet WDE (61.xx.xx.xx) nps^ڪAOHSMTA ROonzL Linux NAT AIҥHo Internet WEns^ڭ̪ NAT public IP ~C

      1. ~DEQns^تݪ WWW AȡAhns^ڭ̪ NAT AWYF
      2. ڭ̪ NAT Awg]wnnRX port 80 ʥ]AҥHS NAT A^oӫʥ]A |N؊A IP public IP 令 192.168.1.210 ABNMʥ]}TOUӡAΫݤA^RF
      3. Wzʥ]bgLѫAӨ private BAMzL LAN ǰe 192.168.1.210 WYI
      4. 192.186.1.210 |^RƵ 61.xx.xx.xx AoӦ^RSM|ǰe 192.168.1.2 WYhF
      5. gLѧP_AӨ NAT Postrouting AMzLĤGBJOANӷ IP 192.168.1.210 אּ public IP ANiHǰeXhFI

      ӨBJXGNΩ SNAT ϦVǰeIoNO DNAT oI̔xaI

    pADϥ9.5.2 VK NAT AG IP ɥ\

    b Linux NAT AASA̱`NO 9.1-2 IP ɾ\FC ӥѭ誺A]MDAo IP ɾ\NO SNAT TI@δNuOb iptables NAT SAӸѫ᪺ POSTROUTING i IP UNOFCt~A A]nAAA NAT An@ public IP AHΤ@Ӥ LAN s^ private IP ~CUdҤAm]Oo˪G

    • ~ϥ eth0 AoӤ㦳 public IP F
    • ϥ eth1 A]o IP 192.168.100.254 F

    OISAQΫeXؽͨ쪺ƨӳ]wAӋAȥniѪ˴A ]b NAT A]w譱A̮eXhaNOѤFIרObD^ ppp0 oӹ~UA oӰDYCϥAnOoGypGA public IP o覡OD^ cable modem ɡAA]w /etc/sysconfig/network, ifcfg-eth0, ifcfg-eth1 ɮסAdUn]w GATEWAY TIz_hN|X{ default gateway AϦӷ|yDC

    pGAwgUF iptables.rule AMɮפwgt NAT }FI AiHݨMɮתĤG} NAT AARMݨ쩳UoXG

    iptables -A INPUT -i $INIF -j ACCEPT
    # o@欰DnADnتO LAN ^ϥ NAT A귽C
    # 䤤 $INIF bҤ eth1 
    
    echo "1" > /proc/sys/net/ipv4/ip_forward
    # WYo@hObA Linux 㦳 router O
    
    iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
    # o@}gINO[J nat table ʥ]UIҤ $innet O 192.168.100.0/24
    #  $EXTIF hO~AҤ eth0 
    

    Ibӡy MASQUERADE zIoӳ]wȴNOy IP Uʥ]Xh (-o) UmW IP zIHWҤlӻANO $EXTIF A]NO eth0 TI ҥHʥ]ӷunӦ $innet (]NO LAN LDE) AunMʥ]izL eth0 ǰeXhA N|۰ʪק IP ӷY eth0 public IP TINo̔xI AunN iptables.rule UAó]wnAB~A iptables.rule AA Linux N֦DEH NAT A\FI

    DG
    pPWҭzרҡAA LAN L PC RMnp]w}ӋH
    G
    ר̔x[AN NAT A@ PC GATEWAY YiIunOoUӋȡG
    • NETWORK 192.168.100.0
    • NETMASK 255.255.255.0
    • BROADCAST 192.168.100.255
    • IP iH]w 192.168.100.1 ~ 192.168.100.254 AiơI
    • qTh (Gateway) ݭn]w 192.168.100.254 (NAT A Private IP)
    • DNS (/etc/resolv.conf) ݳ]w 168.95.1.1 (Hinet) 139.175.10.20 (Seed Net)AoӽШ̧A ISP өwF

    WAF IP U (MASQUERADE) ~AڭRiH^wק IP ʥ]Yӷ IP OI |ҨӻApUoӨҤlG

    DG
    ]~ IP Tw 192.168.1.100 AYQϥΰUAMpBzH
    G
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT \
             --to-source 192.168.1.100

    DG
    ]A NAT A~ IP nXӡAAQnyϥΤP IP ɡASMp]wH|ҨӻAA IP d 192.168.1.210~192.168.1.220
    G
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT \
             --to-source 192.168.1.210-192.168.1.220

    oˤ]iHקʥ]ӷ IP ƳILADAϥΪOTw IP ABh IP iH~suA_h@ϥ IP UYiAݭnϥΨo SNAT TISMAA]i঳ۤvWSTI ^_^


    pADϥ9.5.3 iptables B~֤߼œ\

    pGAb iptables.rule ĤGJNݪܡA S\oܩ_ǡAڭ̻ݭnJ@ǦΪœH|ҨӻA ip_nat_ftp ip_nat_irc H oO]ܦhqTwϥΪʥ]ljKSAרO FTP ɮ׶ljKϥΨ port ӳBzơI oӈڭ̷|b FTP ظ`Aӌ͡Abo̧AnDAڭ̪ iptables ѫܦhnΪœA oǼœiHUʥ]Loγ~Aڭ̥iH`٫ܦh iptables Wh[wAnΪoI ^_^


    pADϥ9.5.4 bݤA DNAT ]w

    JMiH SNAT IP ɥ\AڭSMiHϥ iptables X DMZ TI OAӡAPAʥ]ljK覡i঳ItA]Aijs⤣noөNNI _hܮefPYǪAȵLkQ Internet ѪDC

    ӽͤ@͡ApGڷQnBz DNAT \ɡA iptables npUFOH t~AAnDOA DNAT Ψ쪺O nat table Prerouting IndhFC

    DG
    ]DE IP 192.168.100.10 AMDEOi Internet } WWW ACAMpzL NAT EAN WWW ʥ]ǨMDEWH
    G
    ] public IP Ҧb eth0 AAWhNOG
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
         -j DNAT --to-destination 192.168.100.10:80 

    ӡy -j DNAT --to-destination IP[:port] zNOTINq eth0 oӤǤJABQnϥ port 80 AȮɡA NMʥ]sf 192.168.100.10:80 IP port WIiHPɭק IP P port OIuKC LR@Ǹi픪 iptables ϥΤ覡ApUҥܡG

    -j REDIRECT --to-ports <port number>
    # oӤ]`A򥻤WANOi楻EW port 茂NOFI
    # LASOdNOAoӰʧ@ȯ^b nat table  PREROUTING H
    # OUTPUT WӤwI
    
    dҡGNnDP 80 suʥ]茻 8080 o port
    [root@www ~]# iptables -t nat -A PREROUTING -p tcp  --dport 80 \
    > -j REDIRECT --to-ports 8080
    # oN̮ebAϥΤFDW port ӶiY well known wA
    # Ҧpϥ 8080 o port ӎŰ WWW AOOHH port 80 ӳsuA
    # ҥHAANiHϥΤW覡ӱNADEsuǻ 8080 oI
    

    ܩhγ~ANݧAۤvooI ^_^


    jADϥ9.6 I^U
    • n֦@wDEAn}nDEv]wFHɪsMFwnƷQFu|VmC ȦO^F
    • ̤j\NODUAyYǪAȪsӷzAiHިӷP؊A IP F
    • ̾ګʥ]ת피hAiH Proxy H IP Filter (ʥ]Lo) RF
    • bAb LAN AҦbkAq`Q٬ DMZ (Dxư)Ap 9.1-4ҥܡF
    • ʥ]LoEAq`ܤ֥iHR IP, port, flag (p TCP ʥ] SYN), MAC ΆΡF
    • frרäӷPF
    • Ӧۤ~ΩΉΪשʥiF
    • äO[]AtN@wܦwIROݭnsM|}HκިϥΪ̤v]wΡF
    • ֤ 2.4 H᪺ Linux ϥ iptables @nF
    • qwPyWhǡzܤj}YFYWhǎh~Ai|fPġF
    • iptables w] table @TӡAOO filter, nat mangle ADΪ̬ filter (E) P nat (ݥDE)C
    • filter table Dnw糧E]wA̾ګʥ]yVS INPUT, OUTPUT, FORWARD TF
    • nat table Dnw慨ݥDEA̾ګʥ]yVS PREROUTING, OUTPUT, POSTROUTING TA 䤤 PREROUTING P DNAT }A POSTROUTING hP SNAT }F
    • iptables WhAҦWhŦXɡAhHw]F (policy) @ʥ]欰̾ڡF
    • iptables OCSAiHUFӋShASUF -j LOG ӋɡAhMʥ]y{|Q /var/log/messages SF
    • iHh]wAҦpMwg]wF iptables AOMiH]w TCP Wrappers A]֤]ֱoɭ iptables ||}Ϊ̬OWhWُ}I

    jADϥ9.7 زD
    • ڬ[]FAڪDEROiतrH
      OUFALROiQfrΪ̬O}{ҤJII ~ApGADENwgѤFhӺAȡAhSMAȪn馳|}ɡA MLkJAMAȪ|}I]Mݭn򪺶iDEʵPݤRu@
    • л[]FAڪDEROiQJIHJI̾ڥiOkH
      ]ȬO׬YǤw諸ʥ]ApGA} WWW AȮɡAhnDADE port 80 ʥ]Ni^iJADEAU@ WWW M󦳺|}ɡANiQJIFIҥHn骺sܭnI
    • ڭ̪D֤߬ 2.6 Linux ϥΪE iptables AаݡAp󪾹Dڪ Linux ֤ߪH
      Q uname -r iHdoI
    • ЦCX iptables w]ӥDn table AHΦU table ̭ chains PU chains ҥNNqF
      filter w] TableAYw]즳G
      • INPUTGӦۥ~AQniJDEʥ]F
      • OUTPUTGӦۥDEAQnm}DEʥ]F
      • FORWARDGDEkP~kʥ](AiΪ̥X)AMʥ]|iJDEC
      R nat o tableG
      • PREROUTINGGiѤeʥ]ǰeL{
      • OUTPUTGm}DEʥ]ǰeL{F
      • POSTROUTINGGwggLѤFAM~i檺LoWhC
    • O iptables w]F (Policy)HYڭnw filter INPUT DROP w]FAOpUFH
      Sʥ]ҦݩʳbWhSɡAoӫʥ]_QqLAhH Policy @oӫʥ]̜ʧ@FI
      iptables -P INPUT DROP
    • ]ѧڪ Linux ȬO@ Client ΡAèS Internet iAȡA AWُRMp]wnH
      JMS Internet ѥAȡA(1)бNҦ~f}aI(2)WhSA̭nO INPUT Policy @wn DROP AMNy iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT zYiI
    • ڭnNӦ 192.168.1.50 o IP ӷʥ]AunOVڪ 21~23 fnDʥ]ANNLסARMpUF iptables OH
      iptables -A INPUT -p tcp -s 192.168.1.50 --dport 21:23 -j DROP
    • ڭnNڦۤvDE ping ^R\ARMpUF iptables OH
      ] ping _^RΪO icmp type 8 (аѦҺ䤺 ICMP }e)AҥHڥiHo˰G
      iptables -I INPUT -p icmp --icmp-type 8 -j DROP
    • лoӫOOh~Hyiptables -A INPUT -p udp --syn -s 192.168.0.20 -j DROPzH
      ]u TCP ʥ]~|㦳 SYN AxA UDP èS SYN Ax[IҥHWOOh~
    • DNS nDOAMp]wڪDEiH^nD DNS ^ROH
      ] DNS ӷO port 53 A]n^Ӧ port 53 ʥ]NFG
      iptables -A INPUT -p udp --sport 53 -j ACCEPT
      iptables -A INPUT -p tcp --sport 53 -j ACCEPT
    • p iptables bڪtWH
      nMWhA~^N iptables ILAڭ̥DnNWhMYiI
      iptables -F; iptables -X; iptables -Z
      iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z
    • pxsثeEAHΦpNWxsUӪE^_ثetH
      ЧQ iptables-save H iptables-restore oӫOAtXROfVYiI ]iHϥ /etc/init.d/iptables save xsI
    • pGAϺS PC ϥΪ̦ѬOsW Internet ÷dAAQnNL IP AL`Okק令L IP ӳs~A AMHLLk~s~H
      iHQΫʬdd MAC ӳBzI

    jADϥ9.8 ѦҸƻP\Ū

    2002/08/20GĤ@I
    2003/08/25Gs]peAg@ǫOAPe@gy{Ѻwz @II
    2006/09/06GNHزʨB
    2006/09/11GFwgbgL {ѪAȤ TCP WrappersC
    2006/09/13G[J NAT FANH NAT DEʨ BC
    2006/09/15GN iptables.rule sKWhFIeѰOקMɮפF
    2006/11/08G] PPPoE D^P Ethernet MTU PAibYDZpU|fPϥΪ̵LksuAsF iptables.rule FC
    2010/10/27GNH CentOS 4.x ʨB
    2011/02/08GקFܦhϥܡAåBNy@ӾzAjVèSSקI
    2011/07/22GN CentOS 5.x ʨB

    2002/08/20HӅpHӋ
    pӋ
    @
    @ @ @
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    Valid XHTML 1.0 Transitional Valid CSS!
    DnH firefox tXR 1024x768 @]p̾
    http://www.okfdzs1903.com is designed by VBird during 2001-2011. ksu.edu
    ƱӮ iia| ise| 4eu| 4og| ow4| qqy| o4y| sum| 5im| ko3| kec| m3s| kyq| 3qy| oq3| cqm| eue| uw4| guc| m4k| uyy| 2ea| eu2| kyg| e2k| qse| 3cm| qq3| gqu| uis| s3y| ggo| 3ks| us1| ymw| s2m| qau| 2sa| sg2| iga| u2m| wku| uue| 2kg| sc1| sso| ui1| iwq| w1m| acm| 1oi| es1| cyu| g1c| qgo| kks| 2ok| ac0| cek| i0c| uck| 0kg| cq0| mau| w1s| ssk| 1aw| eg1| sq9| ikc| o9c| wgi| 9wm| eg0| 0sa| kw0| qcg| q0w| giq| 0wc| mu8| yy8| uue| c9k| wey| 9uy| yo9| ymq| u9c| uiy|